another newbie question
Carter Bullard
carter at qosient.com
Tue Jan 20 12:39:12 EST 2004
Hey Guys,
Kevin is right, argus-clients do not use tcpdump's filter.
Don't use '!', unless you escape it, as most shells use it
as a history char.
So, your network filters are not quite right, and they are
not equivalent.
net 192.168.10.0 mask 255.255.0.0
net 192.168.0.0 mask 255.255.0.0
net 192.168.1.0 mask 255.255.0.0
The way it works is that the filter takes the address to
be tested, applies the mask, and then compares the result to
the network address provided. So, the first and third filters
will never match, as the third octet will be obliterated
by the mask, and the result will not equal the provided
network address.
Try a CIDR address or if it's a classic C/B/A address, you
can put just the network number.
ramon [options] - dst net 192.168.0.192/26 and not net 192.168.10
Carter
-----Original Message-----
From: owner-argus-info at lists.andrew.cmu.edu
[mailto:owner-argus-info at lists.andrew.cmu.edu] On Behalf Of Kevin C Miller
Sent: Tuesday, January 20, 2004 12:06 PM
To: Furnish, Trever G; Argus List (E-mail)
Subject: Re: another newbie question
It's just the BPF language that tcpdump and others use.
I would use 'not' instead of '!', e.g. "dst net 192.168.0.64 mask
255.255.0.192 and not net 192.168.1.0 mask 255.255.0.0"
Also, 255.255.0.192 isn't a valid netmask. Do you mean 255.255.255.192 ?
-Kevin
--On Tuesday, January 20, 2004 11:58 AM -0500 "Furnish, Trever G"
<TGFurnish at herff-jones.com> wrote:
> [root at enterprise u01]# ramon -M Matrix -n -L0 -r /u01/argus.log - dst net
> 192.168.0.64 mask 255.255.0.192 and ! net 192.168.1.0 mask 255.255.0.0 |
> wc -l
> 341
---------------------------------------------------
Kevin C. Miller <kcm at cmu.edu>
Network Development
Carnegie Mellon University
More information about the argus
mailing list